Top

Published in:

2019 | OriginalPaper | Chapter

A Security Evaluation of Industrial Radio Remote Controllers

Authors : Federico Maggi, Marco Balduzzi, Jonathan Andersson, Philippe Lin, Stephen Hilt, Akira Urano, Rainer Vosseler

Published in: Detection of Intrusions and Malware, and Vulnerability Assessment

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Heavy industrial machinery is a primary asset for the operation of key sectors such as construction, manufacturing, and logistics. Targeted attacks against these assets could result in incidents, fatal injuries, and substantial financial loss. Given the importance of such scenarios, we analyzed and evaluated the security implications of the technology used to operate and control this machinery, namely industrial radio remote controllers. We conducted the first-ever security analysis of this technology, which relies on proprietary radio-frequency protocols to implement remote-control functionalities. Through a two-phase evaluation approach we discovered important flaws in the design and implementation of industrial remote controllers. In this paper we introduce and describe 5 practical attacks affecting major vendors and multiple real-world installations. We conclude by discussing how a challenging responsible disclosure process resulted in first-ever security patches and improved security awareness.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Overshadow PLC to Detect Remote Control-Logic Injection Attacks

next chapter Understanding the Security of Traffic Signal Infrastructure

An Arduino-based open-hardware/software research framework to analyze sub-GHz radio protocols: https://github.com/trendmicro/rfquack.

Multi transmitter and multi receiver scenarios are possible.

For example: http://www.hetronic.com/Control-Solutions/Receivers/Serial-Communication.

Liebherr and Schneider Electric use Bluetooth Low Energy (BLE).

Searchable FCC ID database at https://fccid.io.

Autec (established in 1986), Hetronic (1982), Saga (1997), Circuit Design (1974), Elca (1991), Telecrane (1985), Juuko (1994), HBC-radiomatic (1947), Cattron (1946), Tele Radio (1955), Scanreco (1980), Shanghai Techwell Autocontrol Technology (2005), Remote Control Technology (1982), Akerstroms (1918), Jay Electronique (1962), Itowa (1986), 3-Elite (1995).

https://www.airspayce.com/mikem/arduino/RadioHead/.

https://www.telecrane.it/en/tablet-with-original-software/.

https://www.nuand.com/product/bladerf-x115/.

https://www.ettus.com/product/details/UN210-KIT.

http://www.baudline.com/.

https://www.saleae.com/.

http://www.sagaradio.com.tw/SAGA1-L6B.html.

http://dangerousprototypes.com/docs/Bus_Pirate.

Write-only operations are normally permitted even without password, but only limited to the code area (i.e., not the boot loader). These are not very useful, because one could blindly write data into the flash.

http://www.juukoremotecontrol.com/en/products/transmitter/jk-800-en.

A FSK variant in which a Gaussian filter is applied to the signal to smoothen level transitions.

CVE-2018-19023, ZDI-CAN-6183 [1], ZDI-18-1336, ZDI-CAN-6185 [1], ZDI-18-1362, ZDI-CAN-6187 [1], CVE-2018-17903, CVE-2018-17921, CVE-2018-17923, CVE-2018-17935.

Andersson, J., et al.: A security analysis of radio remote controllers for industrial applications. Technical report, Trend Micro, Inc., January 2019. https://documents.trendmicro.com/assets/white_papers/wp-a-security-analysis-of-radio-remote-controllers.pdf

Arkansas: Heavy load accident (2013). https://cdn.allthingsnuclear.org/wp-content/uploads/2015/02/FS-181-PDF-File-with-links.pdf

Balduzzi, M., Pasta, A., Wilhoit, K.: A security evaluation of AIS automated identification system. In: Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, New Orleans, LA, USA, 8–12 December 2014, pp. 436–445 (2014). https://doi.org/10.1145/2664243.2664257

Bhatti, J., Humphreys, T.E.: Hostile control of ships via false GPS signals: demonstration and detection. Navig. J. Inst. Navig. 64(1), 51–66 (2017)CrossRef

Blossom, E.: GNU radio: tools for exploring the radio frequency spectrum. Linux J. 2004(122), 4 (2004)

Costin, A., Francillon, A.: Ghost in the air (traffic): on insecurity of ADS-B protocol and practical attacks on ADS-B devices. In: Black Hat USA, pp. 1–12 (2012)

CYREN: Cyber pirates targeting logistics and transportation companies (2018). https://www.cyren.com/blog/articles/cyber-pirates-targeting-logistics-and-transportation-companies

Fleury, T., Khurana, H., Welch, V.: Towards a taxonomy of attacks against energy control systems. In: Papa, M., Shenoi, S. (eds.) ICCIP 2008. TIFIP, vol. 290, pp. 71–85. Springer, Boston, MA (2008). https://doi.org/10.1007/978-0-387-88523-0_6CrossRef

Fouladi, B., Ghanoun, S.: Security evaluation of the Z-wave wireless protocol. In: Black Hat USA, vol. 24, pp. 1–2 (2013)

10.

Francillon, A., Danev, B., Capkun, S.: Relay attacks on passive keyless entry and start systems in modern cars. In: Proceedings of the Network and Distributed System Security Symposium (NDSS). Eidgenössische Technische Hochschule Zürich, Department of Computer Science (2011)

11.

Goodspeed, T.: Practical attacks against the MSP430 BSL. In: Twenty-Fifth Chaos Communications Congress (2008)

12.

Greenberg, A.: Crash override malware took down Ukraine’s power grid last December 2017. https://www.wired.com/story/crash-override-malware/

13.

Texas Instruments: CC1120 user’s guide (2013). http://www.ti.com/lit/ug/swru295e/swru295e.pdf

14.

Kamkar, S.: Drive it like you hacked it: New attacks and tools to wirelessly steal cars (2015). https://samy.pl/defcon2015/

15.

Kerns, A.J., Shepard, D.P., Bhatti, J.A., Humphreys, T.E.: Unmanned aircraft capture and control via GPS spoofing. J. Field Robot. 31(4), 617–636 (2014)CrossRef

16.

Papp, D., Ma, Z., Buttyan, L.: Embedded systems security: threats, vulnerabilities, and attack taxonomy. In: 2015 13th Annual Conference on Privacy, Security and Trust (PST), pp. 145–152. IEEE (2015)

17.

Pohl, J., Noack, A.: Universal radio hacker: a suite for analyzing and attacking stateful wireless protocols. In: 12th USENIX Workshop on Offensive Technologies (WOOT 2018). USENIX Association, Baltimore, MD (2018). https://www.usenix.org/conference/woot18/presentation/pohl

18.

Quarta, D., Pogliani, M., Polino, M., Maggi, F., Zanchettin, A.M., Zanero, S.: An experimental security analysis of an industrial robot controller. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 268–286, May 2017. https://doi.org/10.1109/SP.2017.20

19.

Texas-Instrument: CC1110Fx/CC1111Fx. http://www.ti.com/lit/ds/symlink/cc1110-cc1111.pdf

20.

TrendMicro: Triton wielding its trident - new malware tampering with industrial safety systems, December 2017. https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/triton-wielding-its-trident-new-malware-tampering-with-industrial-safety-systems

21.

Vidgren, N., Haataja, K., Patino-Andres, J.L., Ramirez-Sanchis, J.J., Toivanen, P.: Security threats in ZigBee-enabled systems: vulnerability evaluation, practical experiments, countermeasures, and lessons learned. In: 2013 46th Hawaii International Conference on System Sciences (HICSS), pp. 5132–5138. IEEE (2013)

22.

Wilhoit, K.: KillDisk and BlackEnergy are not just energy sector threats, February 2016. https://blog.trendmicro.com/trendlabs-security-intelligence/killdisk-and-blackenergy-are-not-just-energy-sector-threats/

23.

Wright, J.: KillerBee: Practical ZigBee exploitation framework or wireless hacking and the kinetic world (2018)

24.

Yaneza, J.: 64-bit version of Havex spotted, December 2014. https://blog.trendmicro.com/trendlabs-security-intelligence/64-bit-version-of-havex-spotted/

25.

ZDI: Disclosure policy. https://www.zerodayinitiative.com/advisories/disclosure_policy/

Title: A Security Evaluation of Industrial Radio Remote Controllers
Authors: Federico Maggi
Marco Balduzzi
Jonathan Andersson
Philippe Lin
Stephen Hilt
Akira Urano
Rainer Vosseler
Publisher: Springer International Publishing
Book: Detection of Intrusions and Malware, and Vulnerability Assessment
Print ISBN: 978-3-030-22037-2

Electronic ISBN: 978-3-030-22038-9

Copyright Year: 2019
DOI: https://doi.org/10.1007/978-3-030-22038-9_7

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner